In September 2021, Quebec’s Parliament updated its data privacy regime by passing the Act to Modernize Legislative Provisions as Regards the Protection of Personal Information, 2021 (“Law 25”). It is critical to determine whether an organization is subject to Law 25, as there are potential fines of up to 4% of an organization’s worldwide turnover.[1]

Overall, there is no explicit nonprofit exemption within Law 25. However, Law 25’s applicability to nonprofits depends on the specific processing and commercial activities of the entity.

Click here for an introduction to Law 25.

Are You an Enterprise?   

The key question for Law 25 applicability is whether the entity is considered an “enterprise” under Quebec law.[2] Yet, Law 25 does not itself define the term “enterprise.” Instead, Quebec’s civil code provides the basic definition. Under Quebec law, an enterprise is an “organized economic activity, whether or not it is commercial in nature, consisting of producing, administering or alienating property, or providing a service.”[3]

Quebec’s data protection authority, Commission d’accès à l’information du Québec (CAI) has further refined the term “enterprise” in relation to data privacy in Quebec. The CAI outlined four elements that should be considered when determining whether an entity is an “enterprise”:[4]

  1. the operations of the enterprise constitute jurisdictional acts, which are repetitive;
  2. there exists a coordination between human and material resources; 
  3. the organization aims to respond to and satisfy certain needs; and
  4. the success depends on similar standards related to market forces and the efforts the businessperson deploys.

When making a determination, the organization’s main activity – not its ancillary activity – is the primary focus of the inquiry.[5]

Besides the four elements, case law has provided some examples of entities that are considered “enterprises” under Quebec law. For example, unions and private clinics, such as a psychiatrist, are both considered enterprises and thus would be subject to Law 25.[6]  However, spiritual organizations, like the Jehovah’s Witnesses, and religions are not considered enterprises because their main purposes are spiritual, not economic.

Consequences

When determining compliance with any law, one of the first and most important steps is to examine applicability of the law. Determining Law 25’s applicability to nonprofits requires a detailed and fact-specific analysis. Where applicability is not clear, it is critical to consider the four factors listed above and to compare the entity’s operations to case law.

[1] *Greenberg Traurig is not licensed to practice law in Canada and does not advise on Canada law. Specific Canada law questions and Canada legal compliance issues will be referred to lawyers licensed to practice law in Canada.

[2] Law 25, section 1.

[3] Quebec Civil Code, 1525.

[4] Learning From a Decade of Experience: Quebec’s Private Sector Privacy Act, 1.2.1   

[5] Id. at 1.2.2.

[6] Id. at 1.2.3 and 1.2.4.

Tags: Canada, data privacy, personal information, privacy law
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Tyler Thompson Tyler Thompson

Tyler J. Thompson advises clients on data privacy and protection, technology contracts and contract processes, websites and mobile apps, digital accessibility, social media, and direct to consumer marketing. Tyler offers clients practical and efficient legal counsel, striving to manage costs and risk with

Tyler J. Thompson advises clients on data privacy and protection, technology contracts and contract processes, websites and mobile apps, digital accessibility, social media, and direct to consumer marketing. Tyler offers clients practical and efficient legal counsel, striving to manage costs and risk with business-friendly strategies.

With deep experience in digital compliance, Tyler focuses on handling all aspects of a client’s website or mobile app to pursue compliance while maintaining the best user experience. His practice also focuses on creating enforceable digital agreements with platform users, whether that platform is a website, SaaS, mobile app, or video game.

Tyler has designed and implemented privacy programs for clients from Fortune 500s to start ups, ensuring those clients are compliant with U.S. and international privacy laws. Tyler also advises on data retention and minimization, privacy by design, data inventories, and privacy impact assessments. Tyler is certified as a Fellow of Information Privacy (FIP) by the International Association of Privacy Professionals. In addition, he is a Certified Information Privacy Professional for the United States (CIPP/US), Europe (CIPP/E), Asia, (CIPP/A) and Canada (CIPP/C) as well as a Certified Information Privacy Manager (CIPM) and Certified Information Privacy Technologist (CIPP/T). Tyler is also an ISACA Certified Data Privacy Solutions Engineer (CDPSE).

In the technology space, Tyler has provided guidance on open source software, digital marketing, software licensing, and SaaS agreements. He also works with clients to modernize commercial contracting processes and privacy practices, enabling in-house attorneys to function more efficiently and conserve resources.

Read more about Tyler ThompsonTyler's Linkedin Profile
Show more Show less
Mike Summers ˘

Mike Summers is a law clerk in Greenberg Traurig’s Data Privacy & Cybersecurity Practice, based in the Denver office.

˘ Not admitted to the practice of law.

Related Posts
shutterstock_1275770422
Processing Sensitive Personal Information under U.S. State Privacy Laws
May 23, 2023
Brazilian Flag
Brazil Update: Administrative Sanctions Loom with New Regulation
March 23, 2023
data privacy 2
Under the CCPA, can a service provider use personal information for its own purposes if it deidentifies or aggregates it?
March 21, 2023